120,000 IoT cameras vulnerable to new Persirai botnet say researchers

A new Internet of Things (IoT) botnet is targeted over 1,000 different models vulnerable of IP cameras and using the hijacked devices to carry out DDoS attacks.

Over 122,000 cameras from a variety of manufacturers are vulnerable to becoming part of the Persirai botnet - and the vast majority of owners don't even know their devices are exposed on the internet and thus easily targeted by malware.

Like many internet connected devices, these cameras are built to be easily set up by the user - a design feature which often results in cybersecurity being an afterthought. As a result of this, the IP cameras can open a port on the router and act like a server, making them highly visible to IoT malware.

Taking advantage of this, the attackers are able to access the IP camera by the open port then simply perform a command injection to force the camera to connect to a download site which will execute a malicious script shell and install malware onto the camera, roping it into the botnet.

Once downloaded and executed, the malware will delete itself and will only run in memory in an effort to avoid detection. Persirai's developers also take the step of blocking the exploit they use in order to prevent other attackers from targeting the camera and keep the infected device to themselves.

The cameras can be instructed to carry out DDoS attacks against target networks - an attack which while unsophisticated has the potential to do massive damage - as demonstrated by the Mirai botnet attacks last year, which resulted in bringing large swathes of the internet and online services to a standstill.

While researchers have been unable to specifically identify those behind this IoT malware, the C&C servers have been traced to Iran and the author of the malware used some special Persian characters in the code.

Internet of Things device remain vulnerable to cyberattacks as many manufacturers rush out devices without proper security measures and ship them to consumers who are unlikely to know how to change the default credentials, leaving devices open to attack.

These not only provide them with the opportunity to carry out DDoS attacks, a vulnerable IoT device could provide a gateway onto a network as a whole, allowing hackers to carry out other criminal tasks including espionage on target organisations.